Tahseen AlAktaa

Chief information officer

Information Security Management System These are the ways in which an ISO27k ISMS will typically benefit the organization.

Information security risk reduction

• Strengthens existing information security control environment by (re-)emphasizing business information security control requirements, upgrading current information security policies, controls etc. and providing stimulus to review and where necessary improve information security controls periodically – risk reduction
• Comprehensive, well-structured approach increases the likelihood that all relevant information security threats, vulnerabilities and impacts will be identified, assessed and treated rationally – risk reduction
• Professional, standardized and rational risk management approach gives consistency across multiple information/communications systems (ICT) and business processes over time, and addresses information security risks according to their relative priorities – risk reduction
• Increases our ability to transfer certain risks selectively to insurers or other third parties, and may facilitate negotiating reduced insurance premiums as key controls are implemented and managed – cost saving
• Managers and staff become increasingly familiar with information security terms, risks and controls – risk reduction

Benefits of standardization

• Provides a security baseline i.e. a solid platform of basic, almost universally required information security controls on which to implement specific additional controls as appropriate – cost saving
• An embodiment of good practices, avoids ‘re-inventing the wheel’ – cost saving
• Avoids having to specify the same basic controls repeatedly in every situation – cost saving
• Is generally applicable and hence re-usable across multiple departments, functions, business units and organizations without significant changes – cost saving
• Allows the organization to concentrate effort and resources on specific additional security requirements necessary to protect particular information assets – cost saving
• Based on globally recognized and well respected security standards – brand value
• ISO27k standards suite is being actively developed and maintained by the standards bodies, reflecting new security challenges (such as BYOD and cloud computing) – brand value
• Formally defines specialist terms, enabling information security issues to be discussed, analyzed and addressed consistently by various people at different times – cost saving
• Allows unnecessary, inappropriate or excessive controls to be relaxed or removed without unduly compromising valuable information assets – cost saving

Being risk-based, the ISO27k approach is flexible enough to suit any organization, as opposed to more rigid and prescriptive standards such as PCI-DSS – cost saving

Benefits of a structured approach

• Provides a logically consistent and reasonably comprehensive framework/structure for disparate information security controls – cost saving
• Provides the impetus to review systems, data and information flows with potential to reduce overhead of duplicated and other unnecessary systems/data/processes and improve the quality of information (business process re-engineering) – cost saving
• Provides a mechanism for measuring performance and incrementally raising the information security status over the long term – cost saving and risk reduction
• Builds a coherent set of information security policies, procedures and guidelines, tailored to the organization and formally approved by management – long term benefits

Benefits of certification¹

• Formal confirmation by an independent, competent assessor that the organization’s ISMS fulfills the requirements of ISO/IEC 27001 – risk reduction
• Provides assurance regarding an organization’s information security management capabilities (and, by implication, its information security status) for employees, owners, business partners, suppliers, regulators, auditors and other stakeholders, without requiring numerous individual evaluations, assessments or audits, or having to rely purely on management assertions and assumptions - cost saving and risk reduction
• Positions the organization as a secure, trustworthy and well-managed business partner (similar to the ISO 9000 stamp for quality assurance) – brand value

Demonstrates management’s clear commitment to information security for corporate governance, compliance or due diligence purposes – cost saving and risk reduction

Benefits of compliance

• ISO27k provides an overarching framework for information security management that encompasses a broad range of both external and internal requirements, leveraging the common elements – cost saving and risk reduction
• Stakeholders or authorities may at some point insist that the organization complies with ISO27k as a condition of business or to satisfy privacy and other laws, whereas implementing it on our own terms and timescales is likely to be more cost-effective (e.g. we can prioritize aspects that offer the greatest business value, and take advantage of planned IT system or facility upgrades to improve security at minimal extra cost) – cost saving
• Adopting generally-acknowledged good practices provide a valid defense in case of legal/regulatory enforcement actions following information security incidents – cost saving and risk reduction

Understanding the Goals of Information Security

Like so many things, the goals of information security are straightforward. They create the framework that is used for developing and maintaining a security plan. They’re remarkably easy to express but extremely hard to carry out. These goals are as follows:

Prevention Prevention refers to preventing computer or information violations from occurring; it is much easier to deal with violations before they occur than after. Security breaches are also referred to as incidents. When an incident occurs, it may be the result of a breakdown in security procedures. Incidents come in all shapes and sizes. Simple incidents include things such as losing a password or leaving a terminal logged on overnight. They can also be quite complex and result in the involvement of local or federal law enforcement personnel. If a group of hackers were to attack and deface your website, you would consider this a major incident. Ideally, your security procedures and policies would make you invulnerable to an attack; unfortunately, this isn’t usually the case. The better your prevention policies, however, the lower the likelihood of a successful attack occurring.

Detection Detection refers to identifying events when they occur. Detection is difficult in many situations; an attack on your system may occur over a long period before it’s successful. Incident detection involves identifying the assets under attack, how the incident occurred, and who carried it ut (or is still doing so). The detection process may involve a variety of complicated tools or a simple examination of the system log files. Detection activities should be ongoing and part of your information security policies and procedures.

Response Response refers to developing strategies and techniques to deal with an attack or loss. Developing an appropriate response to an incident involves several factors. If the incident was a probe, the attacker may have done no actual harm but may be gathering intelligence about your etwork or systems. These types of attacks may be random or targeted, and they usually cause little damage. Occasionally, an attack will be successful. When that happens, it is helpful to have a well-thought-out and tested plan you can use to respond, restore operation, and neutralize the hreat. It’s always better to have a set of procedures and methods in place to recover from an incident than to try to create those processes on-the-fly. These goals are an important part of setting benchmarks for an organization. You can’t allow these policies or goals to become insignificant. If you do, you and your organization are setting yourselves up for a surprise. Unfortunately, the surprise won’t be pleasant, and it may be very costly to deal with.

Comprehending the Security Process It helps to think of security as a combination of three Ps: processes, procedures, and policies. The security of information involves both human and technical factors. The human factors are addressed by the policies that are enforced in the organization as well as the processes and procedures your organization has in place. The technology components include the tools you install on the systems you work with. There are several parts to this process, and each is described in the following sections.